public static function createSalt($length = 32, $add_entropy = null, $do_secure = true)
 {
     if (@(include_once 'sources/csprng/support/random.php' !== false && $do_secure)) {
         // Do this cryptographically securely
         try {
             $rng = new CSPRNG();
             $salt = $rng->GenerateString($length);
         } catch (Exception $e) {
             // run this again, not securely to escape the error
             self::createSalt($length, $add_entropy, false);
         }
     } else {
         // Don't give up the ghost, try something that's not quite as good
         $id1 = uniqid(mt_rand(), true);
         $id2 = md5(date('dDjlSwzWFmMntLYayABgGhiHsOZ'));
         $id3 = crc32(self::curPageURL());
         $charset = "!@#~`%^&*()-_+={}|[]:;'<>?,./";
         $repeats = rand(0, 64);
         $i = 0;
         $csl = strlen($charset);
         while ($i < $repeats) {
             $pos = rand(0, $csl - 1);
             $id4 = substr($charset, $pos, 1);
             ++$i;
         }
         $salt = sha1($id2 . $id1 . $id3 . $id4 . $add_entropy);
         // add extra entropy if provided.
         $len = strlen($salt);
         if ($length > $len) {
             $length = $len;
         }
         $diff = strlen($salt) - $length;
         $offset = rand(0, $diff);
         $salt = substr($salt, $offset, $length);
     }
     return $salt;
 }
Exemplo n.º 2
0
     if (!isset($protectedfields[$key]) || !$protectedfields[$key]) {
         $userinfo[$key] = isset($_REQUEST["field_edit_" . md5($key)]) ? $_REQUEST["field_edit_" . md5($key)] : "";
     }
 }
 if (function_exists("AdminHook_EditUser_PostFieldsCheck")) {
     AdminHook_EditUser_PostFieldsCheck();
 }
 if ($sso_site_admin && isset($_REQUEST["impersonation"])) {
     if (!(int) $_REQUEST["impersonation"]) {
         unset($userinfo["sso__impersonation"]);
         unset($userinfo["sso__impersonation_key"]);
         unset($userinfo["sso__impersonation_auto"]);
     } else {
         if (!isset($userinfo["sso__impersonation"])) {
             $userinfo["sso__impersonation"] = "1";
             $userinfo["sso__impersonation_key"] = $sso_rng->GenerateString(64);
             $userinfo["sso__impersonation_auto"] = "0";
         }
         if (isset($_REQUEST["reset_impersonation_key"]) && $_REQUEST["reset_impersonation_key"] == "yes") {
             $userinfo["sso__impersonation_key"] = $sso_rng->GenerateString(64);
         }
         if (isset($_REQUEST["impersonation_auto"])) {
             $userinfo["sso__impersonation_auto"] = (string) (int) $_REQUEST["impersonation_auto"];
         }
     }
 }
 $info2 = SSO_CreateEncryptedUserInfo($userinfo);
 $sso_db->Query("UPDATE", array($sso_db_users, array("version" => (int) $_REQUEST["version"], "info" => serialize($userinfo), "info2" => $info2), "WHERE" => "id = ?"), $row->id);
 if ($sso_site_admin && $_REQUEST["tag_id"] != "" && $_REQUEST["tag_reason"] != "") {
     try {
         $sso_db->Query("INSERT", array($sso_db_user_tags, array("user_id" => $row->id, "tag_id" => (int) $_REQUEST["tag_id"], "issuer_id" => $sso_user_id, "reason" => $_REQUEST["tag_reason"], "created" => CSDB::ConvertToDBTime(time()))));
Exemplo n.º 3
0
     $seed = $rng->GenerateToken(128);
     if ($seed === false) {
         InstallError("Seed generation failed.");
     }
     define("SSO_BASE_RAND_SEED" . ($x ? $x + 1 : ""), $seed);
 }
 define("SSO_USE_LESS_SAFE_STORAGE", $_REQUEST["sso_use_less_safe_storage"] == "yes");
 // Connect to the database server.
 $databases = SSO_GetSupportedDatabases();
 $dbtype = (string) $_REQUEST["db_select"];
 if (!isset($databases[$dbtype])) {
     InstallError("Please select a database server.");
 }
 if ($_REQUEST["db_dsn"] == "") {
     $dsn = $databases[$dbtype]["default_dsn"];
     $dsn = str_replace("@RANDOM@", $rng->GenerateString(), $dsn);
     $dsn = str_replace("@PATH@", str_replace("\\", "/", dirname(__FILE__)), $dsn);
     $_REQUEST["db_dsn"] = $dsn;
 }
 require_once "support/csdb/db_" . $dbtype . ".php";
 $dbclassname = "CSDB_" . $dbtype;
 try {
     $db = new $dbclassname($dbtype . ":" . $_REQUEST["db_dsn"], $databases[$dbtype]["login"] ? $_REQUEST["db_user"] : false, $databases[$dbtype]["login"] ? $_REQUEST["db_pass"] : false);
     if ($_REQUEST["db_master_dsn"] != "") {
         $db->SetMaster($dbtype . ":" . $_REQUEST["db_master_dsn"], $databases[$dbtype]["login"] ? $_REQUEST["db_master_user"] : false, $databases[$dbtype]["login"] ? $_REQUEST["db_master_pass"] : false);
     }
 } catch (Exception $e) {
     InstallError("Database connection failed.  " . htmlspecialchars($e->getMessage()));
 }
 try {
     InstallSuccess("Successfully connected to the database server.  Running " . htmlspecialchars($db->GetDisplayName() . " " . $db->GetVersion()));
Exemplo n.º 4
0
     $session_info = unserialize($sessionrow->info);
     if (!isset($session_info["validated"])) {
         SSO_EndpointError("Namespace referenced session is not validated.");
     }
     if (!isset($session_info["ipaddr"]) || !isset($_REQUEST["ipaddr"]) || $session_info["ipaddr"] != $_REQUEST["ipaddr"]) {
         SSO_EndpointError("Namespace referenced session is from an unspecified or different IP address.");
     }
     $result = array("success" => true);
     SSO_EndpointOutput($result);
 } else {
     if ($sso_data["action"] == "initlogin") {
         if ($sso_apikey_info["type"] != "normal") {
             SSO_EndpointError("Invalid API key type.");
         }
         // Create a new session.
         $sid = $sso_rng->GenerateString();
         $recoverid = $sso_rng->GenerateString();
         $info = array("url" => base64_encode(isset($sso_data["url"]) ? $sso_data["url"] : ""), "files" => (bool) (int) (isset($sso_data["files"]) ? $sso_data["files"] : 0), "initmsg" => base64_encode(isset($sso_data["initmsg"]) ? $sso_data["initmsg"] : ""), "rid" => $recoverid, "appurl" => base64_encode(isset($sso_data["appurl"]) ? $sso_data["appurl"] : ""));
         if ($info["url"] == "") {
             SSO_EndpointError("Return URL not specified.");
         }
         $sso_db->Query("INSERT", array($sso_db_temp_sessions, array("apikey_id" => $sso_apirow->id, "updated" => CSDB::ConvertToDBTime(time()), "created" => CSDB::ConvertToDBTime(time()), "heartbeat" => SSO_HEARTBEAT_LIMIT, "session_id" => $sid, "ipaddr" => isset($_REQUEST["ipaddr"]) ? $_REQUEST["ipaddr"] : "APIKEY: " . $sso_ipaddr["ipv6"], "info" => serialize($info), "recoverinfo" => base64_encode(isset($sso_data["info"]) ? $sso_data["info"] : "")), "AUTO INCREMENT" => "id"));
         $id = $sso_db->GetInsertID();
         $url = SSO_LOGIN_URL . "?sso_id=" . urlencode($sid . "-" . $id) . "&lang=" . urlencode(isset($sso_data["lang"]) ? $sso_data["lang"] : "");
         if (isset($sso_data["extra"])) {
             foreach ($sso_data["extra"] as $key => $val) {
                 $url .= "&" . urlencode($key) . "=" . urlencode($val);
             }
         }
         $result = array("success" => true, "url" => $url, "rid" => $recoverid);
         SSO_EndpointOutput($result);